Spoofed packets problem


i'm having an issue with a UTM where one customer has issues with a provider connecting to their UTM and the FW log blocks the connection with "spoofed packet" detected.


so far i've traced the issue and i think it's a subnetting issue, here's the environment:

  • WAN1 connection that has ip(ex): gateway .129 that gives us a ip range of 129 to 254.
  • They also have another wan in a completely different ip(call it WAN2), that ip has the published services they need to access.
  • The originating ip from the provider is which falls inside the subnet range for WAN1


the firewall log shows spoofed packets from to [WAN2 IP]

from what i can infer, the issue is that the provider is using a IP that corresponds to the WAN1 subnet (but it's not used or declared in UTM), ¿but shouldn't this be normal?, i mean an isp can assign a ip subnet to multiple customers with different ip on the same subnet and they can access eachother no issues, ¿why is this failing here?

  • How are the settings of these WAN interfaces in UTM? Two interfaces?

    Best regards 


  • In reply to Alexander Busch:

    Yes, they're two different physical interfaces and two different ISPs with totally different IP addresses

  • Hi,

    you can't use the same network (or subnet of a network) on two different interfaces!
    Ask the provider for the correct subnet or if both networks are private (RFC1918) ask one provider for a change.

  • In reply to JosefBergmann:

    ¡but i'm not using the same network!, as i've told you, both WANs have absolutely different IP networks


    the provider (external) is accessing WAN2 from a IP that belongs to WAN1 subnet, that's it. And utm treats it as a spoof incorrectly, i can't even find how to whitelist this or i'm going to have to disable spoof protection system-wide

  • In reply to Mast_01:

    But the interfaces are connected on a layer 2 basis, right? IP network is layer 3.

    Best regards 


  • In reply to Mast_01:

    I also said "or subnet of a network". E.g. you can't use on WAN1 and on WAN2.

    Now I'm curious about this IP-networks, can you send me them via PM. I will check the holder.

  • In reply to JosefBergmann:

    but it's not a subnet either, i get the feeling there has been a misunderstanding on the addresses i gave as example.


    WAN2 has a different ip, net, different everything from WAN1 as i stated on the first post.


    Alexander, i'm not sure what you mean by "But the interfaces are connected on a layer 2 basis, right? IP network is layer 3.".

    i'll PM you teh addresses but i don't think it's going to be of much use

  • In reply to Mast_01:

    To clarify - the traffic from the provider is incoming on WAN2 with an IP that is in WAN1's subnet?

    The utm would expect any and all traffic in WAN1's subnet to come in on that interface - you have declared to it that WAN1 is the link into that network not WAN2.


  • In reply to RichardP:

    EXACTLY, traffic from the provider is incoming on WAN2 with an IP that is in WAN1's subnet.

    i see, so every address inside certain subnet cannot come from outside that interface from what you tell me (i suspected as much but never came across this issue).


    So what i should ask the ISP is for a tighter subnet mask so that external ip falls outside the subnet of WAN1

  • In reply to Mast_01:

    Hola Mast,

    Don't worry about the ISP's subnet being in the Interface definition in the UTM.  Unlike most routers that require the ISP's default gateway to be within the subnet, the UTM does not.

    Please alter your initial post so that it's clear that your definitions don't overlap.  Instead of 1.2.3.x, obfuscate IPs like 181.XX.YY.150, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical.

    What interests me is that the ISP routes the other ISP's subnet directly to you.  They need to correct their routing.

    Cheers - Bob